We are using OIDC to authenticate users and noticed that the users are synchronized to the database based on their username by the ISynchronizingUserService. By default the username comes from the ClaimTypes.Name claim, which in our case can change for a user because it is simply made up of the first name and last name. When this happens a new SynchronizedUser record is created in the database and that causes issues with some functionality in the CMS. For example you will see the old username in the 'Last published by' label and versioning gadget.
The NameIdentifier claim contains a code/id that is unique to the user and will never change (it is also used by the user as their username when logging in). We can use that as the username by setting the NameClaimType to be ClaimTypes.NameIdentifier, as you can see here:
TokenValidationParameters = new TokenValidationParameters
NameClaimType = ClaimTypes.NameIdentifier
The problem with this approach is that the username is displayed throughout the CMS. It therefore becomes hard to identify which user published content changes. Is it possible to create a custom implementation of sorts to display first and last name instead of username within the CMS?
Ideally the user synchronization would support using an identifier instead of the username. Also I believe some IDPs return the email address in the name claim, which I assume would result in the email being displayed in the CMS, but I could be wrong about this though.
This issue is a bit bigger than just synchronization of users. Ideally, the UI should display the full name of the user instead of just the username. Then you could use NameIdentifier as Name, if Name is not immutable in your identity provider. Can't find it now, but I'm pretty sure that idea is already reported here https://feedback.optimizely.com/ideas.